{{tag>[security openldap centos6.5]}}
=====CentOS 6 - OpenLDAP 2.4 client with TLS=====
====Install packages====
<code>yum install pam_ldap nss-pam-ldapd sssd openldap-clients</code>
====Configure OpenLDAP client====
===Import CA root certificate===
  mkdir -p /etc/openldap/cacerts
  cp caroot.crt /etc/openldap/cacerts/

===Authconfig===
<code>authconfig-tui
[*] Use LDAP
[*] Use Shadow passwords
[*] Use LDAP Authentication
[*] Local authorization is sufficient

[*] Use TLS
Server: ldaps://<your server FQDN:636>
Base DN: <your DN></code>

===Configure ldap.conf===
<code>
vi /etc/openldap/ldap.conf

URI ldaps://<yourserver FQDN>:636/
BASE <your DN>
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow
</code>

===Configure pam_ldap===
<code>
vi /etc/pam_ldap.conf

base <your DN> 
uri ldaps://<yourserver>:636/
pam_password exop 
ssl start_tls
tls_cacertdir /etc/openldap/cacerts
</code>

===Configure sssd.conf====
<code>
vi /etc/sssd/sssd.conf
  
!Configure FQDN server names!
ldap_chpass_uri = ldaps://<your ldap server FQDN>

[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
</code>

===Test===
  service sssd restart

  See if symlink exists in /etc/openldap/cacerts

  ldapsearch -x -b "dc=<your DN>"
  
  getent passwd <username>
  getent group <groupname>
  id -a <username>

===Clear the SSSD cache===  
You can clear the passwd/group cache with
  sss_cache -U -G